# This role creates Wikitcms release validation events. There should
# always be exactly one host in infra with this role set up and
# relvalconsumer_prod set to True, or else we'll stop getting events.
# It also updates the AMI pages for the events when relevant AMI
# images are published.
#
# Required vars
# - wikitcms_token
##      string - a token file to install for unattended wiki editing
#                using openidc auth
# - relvalconsumer_amqp_queue
##      string - Message queue name for the consumer. To use the
##               fedora-messaging scheduler with public authentication
##               on the Fedora production AMQP broker (which is what
##               you'd typically want), you only need to set this.
##               This should be a unique and private string; the
##               official recommendation is to use a random UUID
##               generated by uuidgen.
# - relvalamiconsumer_amqp_queue
##      string - Message queue name for the AMI consumer. To use the
##               fedora-messaging scheduler with public authentication
##               on the Fedora production AMQP broker (which is what
##               you'd typically want), you only need to set this.
##               This should be a unique and private string; the
##               official recommendation is to use a random UUID
##               generated by uuidgen.
#
# Required vars with defaults
# - relvalconsumer_prod
##       bool - whether this is the production instance. **SHOULD ONLY
##              EVER BE TRUE ON ONE SYSTEM IN THE WORLD**
##       default - False
# - relvalconsumer_amqp_passive
##        bool - If true, passive_declares will be set true in all the
##               fedora-messaging consumer configuration files. This
##               is needed for private authentication on the Fedora
##               brokers.
##       default - False
# - relvalconsumer_amqp_url
##      string - AMQP broker URL for fedora-messaging event creator.
##               The role default for this is the Fedora production
##               broker with the shared 'fedora' username.
# - relvalconsumer_amqp_cacert
##      string - CA certificate file to use for authenticating with
##               AMQP broker for fedora-messaging event creator.
##               The role default for this is the CA cert file for the
##               Fedora production broker.
# - relvalconsumer_amqp_cert
##      string - Certificate file to use for authenticating with AMQP
##               broker for fedora-messaging event creator. The role
##               default for this is the certificate file for the
##               public 'fedora' account on the Fedora production
##               broker.
# - relvalconsumer_amqp_key
##      string - Private key file to use for authenticating with AMQP
##               broker for fedora-messaging event creator. The role
##               default for this is the key file for the public
##               'fedora' account on the Fedora production broker.
# - relvalconsumer_amqp_routing_keys
##        list - List of routing key names for the fedora-messaging
##               creator to subscribe to. The role default for this
##               is the appropriate keys for the Fedora production
##               broker.
# - relvalconsumer_amqp_mailfrom
##      string - From email address for error report emails. Defaults
##               to "root@{{ external_hostname }}". Only relevant if
##               relvalconsumer_amqp_mailto is set.
# - relvalconsumer_amqp_smtp
##      string - Hostname of SMTP server to use for sending error
##               emails. Defaults to 'localhost'. Only relevant if
##               relvalconsumer_amqp_mailto is set.
# - relvalconsumer_disabled
##        bool - If true, don't enable the consumer service. This is
##               mainly just for temporary use if something's broken.
##     default - False
# - relvalamiconsumer_amqp_routing_keys
##        list - List of routing key names for the event AMI page
##               updater to subscribe to. The role default for this
##               is the appropriate keys for the Fedora production
##               broker.
# - relvalamiconsumer_disabled
##        bool - If true, don't enable the consumer service. This is
##               mainly just for temporary use if something's broken.
##     default - False
#
# Optional vars
# - relvalconsumer_amqp_mailto
##        list - List of email addresses to email errors to. If set,
##               the email log handler will be configured.
# - relvalconsumer_bugzilla_api_key
##        string - An API key for Bugzilla. If relvalconsumer_prod and
##                 this are both set, the consumer will be configured
##                 to report bugs to Bugzilla for oversize images. As
##                 with relvalconsumer_prod, only the 'official' prod
##                 instance should have this set.

# note: kept around for when we need packages from u-t
#- name: Install required packages (testing)
#  dnf:
#    name: ['python3-fedfind', 'python3-wikitcms']
#    state: present
#    enablerepo: "updates-testing"
#  tags:
#  - packages
- name: Install required packages
  package:
    # 'relval' itself is needed as we call it directly for size
    # checking
    name: ['python3-fedfind', 'python3-wikitcms', 'fedora-messaging',
           'python3-mwclient', 'python3-pip', 'python3-setuptools', 'relval']
    state: present
  tags:
  - packages

- name: Install required packages (wiki oidc auth)
  package: name=python3-openidc-client state=present enablerepo="updates"
  when: "wikitcms_token is defined"
  tags:
  - packages

# duplicated with openqa/dispatcher, but I kinda don't want to move
# this up somewhere shared, I like the roles to be somewhat usable
# outside of Fedora infra...
# We actually want to handle the case where wikitcms_token isn't defined
# even though it makes this role essentially do nothing, as we don't
# really want openqa-stg creating stuff in the staging wiki all the
# time. So in that case install the role but leave it disabled
- name: Create /root/.openidc (token file location for manual runs as root)
  file: path=/root/.openidc state=directory owner=root group=root mode=0700

#- name: Write wikitcms token file for root
#  copy: src={{ wikitcms_token }} dest=/root/.openidc/oidc_wikitcms.json owner=root group=root mode=0600
#  when: "wikitcms_token is defined"
#  tags:
#  - config

- name: Check out relvalconsumer
  git:
    repo: https://pagure.io/fedora-qa/relvalconsumer.git
    dest: /root/relvalconsumer
  register: gitrvc

- name: Check if relvalconsumer is installed for current Python
  command: "pip show relvalconsumer"
  register: instrvc
  changed_when: "1 != 1"
  failed_when: "1 != 1"
  check_mode: no

- name: Install relvalconsumer
  command: "python3 setup.py install"
  args:
    chdir: /root/relvalconsumer
  when: "gitrvc is changed or instrvc.rc != 0"
  notify:
  - restart relvalconsumer

- name: Create /etc/pki/fedora-messaging
  file:
    dest: /etc/pki/fedora-messaging
    mode: 0775
    owner: root
    group: root
    state: directory
  when: "deployment_type is defined"
  tags:
  - config

# We always use the openQA production cert and key here for now; we
# don't really need a separate identity for relvalconsumer. We don't
# use the staging identity as even staging relvalconsumer listens on
# the prod bus.
- name: Deploy the Fedora infra fedora-messaging cert (openQA production)
  copy:
    src: "{{ private }}/files/rabbitmq/production/pki/issued/openqa.crt"
    dest: /etc/pki/fedora-messaging/openqa-cert.pem
    mode: 0644
    owner: root
    group: root
  when: "deployment_type is defined"
  tags:
  - config

# This is kinda icky, as there's no intrinsic reason the group geekotest
# should exist so far as this role is concerned. But as we run this role
# on the same box as openQA, in fact we need to keep the ownership in
# line. This needs making cleaner somehow.
- name: Deploy the Fedora infra fedora-messaging key
  copy:
    src: "{{ private }}/files/rabbitmq/production/pki/private/openqa.key"
    dest: /etc/pki/fedora-messaging/openqa-key.pem
    mode: 0640
    owner: root
    group: geekotest
  when: "deployment_type is defined"
  tags:
  - config

- name: Create python-bugzilla configuration directory
  file:
    dest: /root/.config/python-bugzilla
    mode: 0700
    owner: root
    group: root
    state: directory
  when: "relvalconsumer_bugzilla_api_key is defined"
  tags:
  - config

- name: Write python-bugzilla configuration file
  template: src=bugzillarc.j2 dest=/root/.config/python-bugzilla/bugzillarc owner=root group=root mode=0600
  when: "relvalconsumer_bugzilla_api_key is defined"
  tags:
  - config

- name: Configure fedora-messaging relvalconsumer
  template: src=relvalconsumer.toml.j2 dest=/etc/fedora-messaging/relvalconsumer.toml owner=root group=root mode=0640
  notify:
  - restart relvalconsumer
  tags:
  - config

- name: Configure fedora-messaging relvalamiconsumer
  template: src=relvalamiconsumer.toml.j2 dest=/etc/fedora-messaging/relvalamiconsumer.toml owner=root group=root mode=0640
  notify:
  - restart relvalamiconsumer
  tags:
  - config

- name: Enable and start fedora-messaging relvalconsumer
  service: name=fm-consumer@relvalconsumer enabled=yes state=started
  when: not relvalconsumer_disabled|bool

- name: Enable and start fedora-messaging relvalamiconsumer
  service: name=fm-consumer@relvalamiconsumer enabled=yes state=started
  when: not relvalamiconsumer_disabled|bool
